Further Reading

The decision to fork OpenSSL is bound to be controversial given that OpenSSL powers hundreds of thousands of Web servers. When asked why he wanted to start over instead of helping to make OpenSSL better, de Raadt said the existing code is too much of a mess.

"Our group removed half of the OpenSSL source tree in a week. It was discarded leftovers," de Raadt told Ars in an e-mail. "The Open Source model depends [on] people being able to read the code. It depends on clarity. That is not a clear code base, because their community does not appear to care about clarity. Obviously, when such cruft builds up, there is a cultural gap. I did not make this decision... in our larger development group, it made itself."

The LibreSSL code base is on OpenBSD.org, and the project is supported financially by the OpenBSD Foundation and OpenBSD Project. LibreSSL has a bare bones website that is intentionally unappealing.

"This page scientifically designed to annoy web hipsters," the site says. "Donate now to stop the Comic Sans and Blink Tags." In explaining the decision to fork, the site links to a YouTube video of a cover of the Twisted Sister song "We're not gonna take it."

LibreSSL is initially built for OpenBSD and will support multiple operating systems after the code and funding are shored up. The OpenBSD operating system itself was created as a fork of NetBSD in 1995.

When asked what he meant by OpenSSL containing "discarded leftovers," de Raadt said there were "Thousands of lines of VMS support. Thousands of lines of ancient WIN32 support. Nowadays, Windows has POSIX-like APIs and does not need something special for sockets. Thousands of lines of FIPS support, which downgrade ciphers almost automatically."

There were also "thousands of lines of APIs that the OpenSSL group intended to deprecate 12 years or so ago and [are] still left alone."

De Raadt told ZDNet that his team has removed 90,000 lines of C code. "Even after all those changes, the codebase is still API compatible," he said. "Our entire ports tree (8,700 applications) continue to compile and work after all these changes."

The OpenBSD team started working on LibreSSL about a week ago, he told Ars.

OpenSSL Software Foundation President Steve Marquess declined comment on LibreSSL, saying, "I haven't had the chance to look at what they're doing so I don't want to comment at this time."

In a blog post last week, Marquess described OpenSSL's struggle to obtain funding and code contributions.

"I’m looking at you, Fortune 1000 companies," Marquess wrote. "The ones who include OpenSSL in your firewall/appliance/cloud/financial/security products that you sell for profit, and/or who use it to secure your internal infrastructure and communications. The ones who don’t have to fund an in-house team of programmers to wrangle crypto code, and who then nag us for free consulting services when you can’t figure out how to use it. The ones who have never lifted a finger to contribute to the open source community that gave you this gift. You know who you are."

As for Heartbleed, "the mystery is not that a few overworked volunteers missed this bug," Marquess wrote. "The mystery is why it hasn’t happened more often."

The Heartbleed flaw, which can expose user passwords and the private encryption keys used to protect websites, was accidentally added to the code by a volunteer contributor and went undetected for two years. There's more information and discussion about the forking of OpenSSL here.

Promoted Comments

As someone who has worked with the OpenSSL libraries I can say that this has been far too long in coming. I was always amazed at how a piece of code that is used by millions of people can have such nasty and poorly documented APIs.

As someone who has worked with the OpenSSL libraries I can say that this has been far too long in coming. I was always amazed at how a piece of code that is used by millions of people can have such nasty and poorly documented APIs.

Such a shame big corporations with deep pockets can't give back to a community they've taken so much from.

If you give it away for free, do you honestly expect people to pay for it? Arse clowns throughout corporate America are dazzling their superiors by embracing free software...I see it every day. I also see the carnage that results when the "free" software ends up costing the company dearly in the end.

Such a shame big corporations with deep pockets can't give back to a community they've taken so much from.

If you give it away for free, do you honestly expect people to pay for it? Arse clowns throughout corporate America are dazzling their superiors by embracing free software...I see it every day. I also see the carnage that results when the "free" software ends up costing the company dearly in the end.

I donate. It is a give and take cookie jar but very few pitch in ingredients for the best cookies to keep rolling. If the top 1000 companies just donated $1000 a year that is a million dollars to support and keep the goodness rolling.

"This page scientifically designed to annoy web hipsters," the site says. "Donate now to stop the Comic Sans and Blink Tags."

I don't understand how this promotes the cause of a new crypto library or is the starting point for a new, well-supported, maintainable code base...

Maybe I don't get the irony?

Forking an established project and throwing out half the code sounds like par for the course for hipsters to me. Yet another example of the "if you're insulting hipsters you probably are one" truism. I'm fairly certain the first thing that defines the hipster is lack of the understanding that they're a hipster.

It is possible they just don't know how to make a website. Everyone knows the <blink> tag is no longer supported by any modern web browser.

Except they threw out half the code and it still works. The phrase that comes to mind is "technical debt".

"This page scientifically designed to annoy web hipsters," the site says. "Donate now to stop the Comic Sans and Blink Tags."

I don't understand how this promotes the cause of a new crypto library or is the starting point for a new, well-supported, maintainable code base...

Maybe I don't get the irony?

Forking an established project and throwing out half the code sounds like par for the course for hipsters to me. Yet another example of the "if you're insulting hipsters you probably are one" truism. I'm fairly certain the first thing that defines the hipster is lack of the understanding that they're a hipster.

It is possible they just don't know how to make a website. Everyone knows the <blink> tag is no longer supported by any modern web browser.

Except they threw out half the code and it still works. The phrase that comes to mind is "technical debt".

In my case, throwing out half the code and having it still work means I did a shitty job of testing. Hopefully that's not the case with them.

I'm just trying to imagine how an R&D engineer would fill out the standard expense report for the donation:Business justification: because it's the right thing to do.What is the impact to the project if this purchase is not approved: Er... nothing.REJECTED.

Such a shame big corporations with deep pockets can't give back to a community they've taken so much from.

If you give it away for free, do you honestly expect people to pay for it? Arse clowns throughout corporate America are dazzling their superiors by embracing free software...I see it every day. I also see the carnage that results when the "free" software ends up costing the company dearly in the end.

I'm not sure if people are down voting you because they agree with the obvious truth of what you say but don't like it, or because they disagree. Either way, it seems to me that something like SSL should be controlled by a non-profit industry group composed of any interested party. This group could develop and test software, and rather than giving it away, sell it for a small licensing cost that covers the overhead of the organization. This could be done in a way that's similar to open source, but more tightly controlled. I'm sure that given the competitive nature of the tech companies, this is probably not possible - too bad, because the public needs something considerably more secure than we have now. It seems like the functions of SSL that need to be improved are well known, and there are many people who could contribute to a good effort to fix it.

It's a shame they dropped FIPS support - there's now no way that RHEL or SLES will ever switch, and given the enormous market share that RHEL (and RHEL-like distros) and SLES have, it vastly limits the chances that this fork will ever gain critical mass.

I would bet anyone that most companies wouldn't want to donate money to OpenSSL just because they don't "profit" from using OpenSSL and it doesn't "add value" to their applications. It's an almost invisible feature to most users and you can't really tout "Supports OpenSSL!" or "Supports encrypted data!" as a tagline to grab users, because mostly everyone uses it. It's not an advantage over the competitor in most cases since your competitor also likely uses it.

If a lead software developer working under A Big Corporation D goes to his manager and says, "We use OpenSSL in our application and I think it would be a good idea to donate money to them so they can keep their project going," the project manager would respond with, "Donate money? If we don't have to pay to use it why would we give them money?"

One of my English teachers in college once told the class that if she has offended every single person in the class by the end of the semester, then she will be quite satisfied with that accomplishment. She was a decent enough teacher, in her professional capacity... she just didn't actually like other people. These people remind me of that teacher.

(That's not a good thing, in case you were unsure.)

And yes... the one time I spoke to her directly, she did indeed attempt to offend me; I just walked away, shaking my head in confusion.

As a cynic, it's great laugh after great laugh. Otherwise it's a chain of seemingly never ending WTFs.And I personally had to see for myself that they really did feed the RNG with parts of secret keys in case it runs low on entropy. I wouldn't have believed it otherwise.

A word of warning, though, if you relied or rely on OpenSSL: You might be scared shitless.

I'm just trying to imagine how an R&D engineer would fill out the standard expense report for the donation:Business justification: because it's the right thing to do.What is the impact to the project if this purchase is not approved: Er... nothing.REJECTED.

Business Justification: Because it does all our super important crypto, and we can't afford to have bugs in it!What is the impact to the project if this purchase is not approved: Less devs working on our crypto, more security holes, a bad day for many.